Ransomware actors turn attention to holding websites hostage

Ransomware actors are looking for new targets. According to security vendor WordFence that target appears to be WordPress-powered websites.

Hot on the heels of WannaCry and NotPetya ransomware actors are looking for new targets. According to security vendor WordFence that target appears to be WordPress-powered websites.

"During our analyses of malicious traffic targeting WordPress sites" the report states "we captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website's files."

For every directory that the 'EV Ransomware' successfully encrypts, an email is generated to inform the attacker of the hostname and key used. The encryption appears to use mcrypt, and the Rijndael 128 algorithm with a SHA-256 hash key.

It seems that the attack is badly coded, however, and decryption logic is missing from the supposed 'ransom paid' form. Victims wouldn't be able to regain control of their files even if the ransom were to be paid.

This is bad news for those individuals and SME's that tend to favour WordPress on grounds of cost and simplicity. Which doesn't mean that larger enterprises are off the hook; threat actors will turn their attention to the broader web property space if a profit can be made.

Chris Doman, a security researcher at AlienVault, admits that the WordPress ransomware is a worrying trend that "could mean we're about to see a significant increase in ransomware on websites."

Duncan McAlynn, principal engineer & security evangelist at Ivanti, agrees that the threat actors will move on from WordPress sites. "Just as we've seen other ransomware families evolving and adapt to defensive techniques" McAlynn says "so too will these web-server based attacks." His advice is to apply due diligence to web properties and "hack yourself first, before the real hackers do."

But with the majority of larger enterprise sites being bespoke software development projects, just how vulnerable are they to such attacks? "The typical attack vector would be for an attacker to embed a ransomware toolkit into a software package" Colin Domoney, consultant solution architect at Veracode, told SC Media. "A software developer could easily be tricked into installing a fake package into their website application and subsequently exposing their organisation to attack," Domoney concludes.

So what mitigation steps should the enterprise be taking to protect web properties against the ransomware threat?

"There are several steps that enterprises can take to protect their web properties against the threat of ransomware" says Jeremiah Grossman, chief of security strategy at SentinelOne, continuing, "but even with all the best prevention mechanisms in place, enterprises should still plan for worst case scenarios." Which means knowing ahead of time how to recover important files and data in the event of compromise."

CR Srinivasan, senior vice president, Global Product Management & Data Centre Services at Tata Communications, told SC Media that in order to protect web properties the enterprise needs to shift from an incident response mindset to a continuous response one. Which means adopting an adaptive approach to security. "Typically, there are four stages in an adaptive security life cycle: preventative, detective, retrospective and predictive" Srinivasan explains, "for organisations to protect themselves, they need to get the right mix."

Lawrence Munro, world wide VP of SpiderLabs at Trustwave told us here at SC that, "our response to this new variant of ransomware would be, at a high level, the same as all other ransomware." He has a point, after all wherever files are successfully encrypted the enterprise must nullify the initial attack vector. Munro suggests the following mitigations to achieve this:

Appropriate and timely patching of frameworks. Limiting the scope of administrator interfaces, they should not be Internet accessible for example. Ensuring passwords are robust, non-guessable and not shared between other enterprise applications. Multi-factor authentication for admin level access to the framework. And adopting a defence-in-depth approach with a web-application firewall (WAF) to mitigate web application borne threats like SQLi.